berbew | c83a1e8e62d4da0c6ec0917444370dc1106653e7a8603c45e491b495880db9fe

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c83a1e8e62d4da0c6ec0917444370dc1106653e7a8603c45e491b495880db9fe.exe
Size

67KB
MD5

668d90ff558883850e0632978e511cd4
SHA1

c923996d5743a5e46068fd91cc58019df8c79763
SHA256

c83a1e8e62d4da0c6ec0917444370dc1106653e7a8603c45e491b495880db9fe
SHA512

787b6b6c7ca9d3fa58c001dcafcef75772dcc38134ffc6155f94b2fea3c19d372943cb59098406c5b46ee5104de4a616ee196d494d1bf723629dc8a676c2e6e6
SSDEEP

1536:qEpB/VSM9Tyb5Kn8wOlZ7DT6Y/CyuqRQDR/Rj:h7P9Ty90dOl16Y6qeDVx

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 57 IoCs

pid	Process
4384	Pmidog32.exe
1376	Pdpmpdbd.exe
1192	Pfaigm32.exe
3560	Qmkadgpo.exe
4116	Qgqeappe.exe
3336	Qnjnnj32.exe
1928	Qqijje32.exe
740	Qgcbgo32.exe
1512	Anmjcieo.exe
220	Adgbpc32.exe
2040	Acjclpcf.exe
4944	Ajckij32.exe
3656	Ambgef32.exe
3708	Aclpap32.exe
4600	Afjlnk32.exe
3364	Amddjegd.exe
4516	Agjhgngj.exe
1304	Andqdh32.exe
3360	Aeniabfd.exe
3028	Afoeiklb.exe
2132	Aminee32.exe
1836	Accfbokl.exe
2364	Bfabnjjp.exe
3056	Bnhjohkb.exe
4092	Bagflcje.exe
2336	Bganhm32.exe
1880	Bmngqdpj.exe
4956	Bjagjhnc.exe
2344	Bgehcmmm.exe
4456	Beihma32.exe
4772	Bjfaeh32.exe
2696	Belebq32.exe
4536	Cjinkg32.exe
2068	Cmgjgcgo.exe
4864	Cabfga32.exe
4100	Chmndlge.exe
4232	Cnffqf32.exe
4980	Ceqnmpfo.exe
3688	Cfbkeh32.exe
628	Cnicfe32.exe
1156	Ceckcp32.exe
2192	Chagok32.exe
3528	Cnkplejl.exe
1280	Cajlhqjp.exe
2312	Chcddk32.exe
3092	Cjbpaf32.exe
4760	Cegdnopg.exe
2352	Djdmffnn.exe
1644	Danecp32.exe
3176	Daqbip32.exe
2836	Ddonekbl.exe
1500	Dkifae32.exe
2392	Deokon32.exe
4168	Dhmgki32.exe
3232	Dmjocp32.exe
1220	Dddhpjof.exe
2656	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	c83a1e8e62d4da0c6ec0917444370dc1106653e7a8603c45e491b495880db9fe.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2736	2656	WerFault.exe	138

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c83a1e8e62d4da0c6ec0917444370dc1106653e7a8603c45e491b495880db9fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c83a1e8e62d4da0c6ec0917444370dc1106653e7a8603c45e491b495880db9fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	c83a1e8e62d4da0c6ec0917444370dc1106653e7a8603c45e491b495880db9fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c83a1e8e62d4da0c6ec0917444370dc1106653e7a8603c45e491b495880db9fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 4384	1120	c83a1e8e62d4da0c6ec0917444370dc1106653e7a8603c45e491b495880db9fe.exe	82
PID 1120 wrote to memory of 4384	1120	c83a1e8e62d4da0c6ec0917444370dc1106653e7a8603c45e491b495880db9fe.exe	82
PID 1120 wrote to memory of 4384	1120	c83a1e8e62d4da0c6ec0917444370dc1106653e7a8603c45e491b495880db9fe.exe	82
PID 4384 wrote to memory of 1376	4384	Pmidog32.exe	83
PID 4384 wrote to memory of 1376	4384	Pmidog32.exe	83
PID 4384 wrote to memory of 1376	4384	Pmidog32.exe	83
PID 1376 wrote to memory of 1192	1376	Pdpmpdbd.exe	84
PID 1376 wrote to memory of 1192	1376	Pdpmpdbd.exe	84
PID 1376 wrote to memory of 1192	1376	Pdpmpdbd.exe	84
PID 1192 wrote to memory of 3560	1192	Pfaigm32.exe	85
PID 1192 wrote to memory of 3560	1192	Pfaigm32.exe	85
PID 1192 wrote to memory of 3560	1192	Pfaigm32.exe	85
PID 3560 wrote to memory of 4116	3560	Qmkadgpo.exe	86
PID 3560 wrote to memory of 4116	3560	Qmkadgpo.exe	86
PID 3560 wrote to memory of 4116	3560	Qmkadgpo.exe	86
PID 4116 wrote to memory of 3336	4116	Qgqeappe.exe	87
PID 4116 wrote to memory of 3336	4116	Qgqeappe.exe	87
PID 4116 wrote to memory of 3336	4116	Qgqeappe.exe	87
PID 3336 wrote to memory of 1928	3336	Qnjnnj32.exe	88
PID 3336 wrote to memory of 1928	3336	Qnjnnj32.exe	88
PID 3336 wrote to memory of 1928	3336	Qnjnnj32.exe	88
PID 1928 wrote to memory of 740	1928	Qqijje32.exe	89
PID 1928 wrote to memory of 740	1928	Qqijje32.exe	89
PID 1928 wrote to memory of 740	1928	Qqijje32.exe	89
PID 740 wrote to memory of 1512	740	Qgcbgo32.exe	90
PID 740 wrote to memory of 1512	740	Qgcbgo32.exe	90
PID 740 wrote to memory of 1512	740	Qgcbgo32.exe	90
PID 1512 wrote to memory of 220	1512	Anmjcieo.exe	91
PID 1512 wrote to memory of 220	1512	Anmjcieo.exe	91
PID 1512 wrote to memory of 220	1512	Anmjcieo.exe	91
PID 220 wrote to memory of 2040	220	Adgbpc32.exe	92
PID 220 wrote to memory of 2040	220	Adgbpc32.exe	92
PID 220 wrote to memory of 2040	220	Adgbpc32.exe	92
PID 2040 wrote to memory of 4944	2040	Acjclpcf.exe	93
PID 2040 wrote to memory of 4944	2040	Acjclpcf.exe	93
PID 2040 wrote to memory of 4944	2040	Acjclpcf.exe	93
PID 4944 wrote to memory of 3656	4944	Ajckij32.exe	94
PID 4944 wrote to memory of 3656	4944	Ajckij32.exe	94
PID 4944 wrote to memory of 3656	4944	Ajckij32.exe	94
PID 3656 wrote to memory of 3708	3656	Ambgef32.exe	95
PID 3656 wrote to memory of 3708	3656	Ambgef32.exe	95
PID 3656 wrote to memory of 3708	3656	Ambgef32.exe	95
PID 3708 wrote to memory of 4600	3708	Aclpap32.exe	96
PID 3708 wrote to memory of 4600	3708	Aclpap32.exe	96
PID 3708 wrote to memory of 4600	3708	Aclpap32.exe	96
PID 4600 wrote to memory of 3364	4600	Afjlnk32.exe	97
PID 4600 wrote to memory of 3364	4600	Afjlnk32.exe	97
PID 4600 wrote to memory of 3364	4600	Afjlnk32.exe	97
PID 3364 wrote to memory of 4516	3364	Amddjegd.exe	98
PID 3364 wrote to memory of 4516	3364	Amddjegd.exe	98
PID 3364 wrote to memory of 4516	3364	Amddjegd.exe	98
PID 4516 wrote to memory of 1304	4516	Agjhgngj.exe	99
PID 4516 wrote to memory of 1304	4516	Agjhgngj.exe	99
PID 4516 wrote to memory of 1304	4516	Agjhgngj.exe	99
PID 1304 wrote to memory of 3360	1304	Andqdh32.exe	100
PID 1304 wrote to memory of 3360	1304	Andqdh32.exe	100
PID 1304 wrote to memory of 3360	1304	Andqdh32.exe	100
PID 3360 wrote to memory of 3028	3360	Aeniabfd.exe	101
PID 3360 wrote to memory of 3028	3360	Aeniabfd.exe	101
PID 3360 wrote to memory of 3028	3360	Aeniabfd.exe	101
PID 3028 wrote to memory of 2132	3028	Afoeiklb.exe	102
PID 3028 wrote to memory of 2132	3028	Afoeiklb.exe	102
PID 3028 wrote to memory of 2132	3028	Afoeiklb.exe	102
PID 2132 wrote to memory of 1836	2132	Aminee32.exe	103

C:\Users\Admin\AppData\Local\Temp\c83a1e8e62d4da0c6ec0917444370dc1106653e7a8603c45e491b495880db9fe.exe
"C:\Users\Admin\AppData\Local\Temp\c83a1e8e62d4da0c6ec0917444370dc1106653e7a8603c45e491b495880db9fe.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\SysWOW64\Pmidog32.exe
  C:\Windows\system32\Pmidog32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\Pdpmpdbd.exe
    C:\Windows\system32\Pdpmpdbd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\SysWOW64\Pfaigm32.exe
      C:\Windows\system32\Pfaigm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1192
    - - C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
      - C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 416
        59⤵
        Program crash
        
        PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2656 -ip 2656
1⤵
PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
67KB

MD5
88597a4b739886545654a8522f0852f7

SHA1
1f84b7f7ef1fe37a1c79ae8aaead09ea3ba191c4

SHA256
503b2761df5e748a79ace0f237ce0b8779c6caa08366c7bfeb46bfb897b1bf0f

SHA512
c8bc657a513e05504c73bd9bf1e76acd9548e80f9c8a9badf718fd01c41e9e77904177e398e3d3d865c8fb9a7a8fa7fdcb7cf4a6bee695723a1af3981b90db23

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
67KB

MD5
3b3fa96778b02bc3b7456edc75c8eae4

SHA1
9bc4b4a55b5d620a1b8ed7af866299b01de885b9

SHA256
95c5018bef0fd7650b6c16010c446d47d2e6bf29b8f8b8924f991c630cb2745a

SHA512
8dd567befb7c237bf697290b0af2ae7c950ad8639eef98b72b977593bd1ee69bd90110fb9497da5c3ee1801e7b0b875eb4254c0a7353717b1dc2476d5fcd316e

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
67KB

MD5
7eea48d42f01bde3f0c1268a5d6615d6

SHA1
d4fcec187b4a89f04e064ed18f559d52adbb9f5d

SHA256
2fd49a1fa6e033c56d994ac844ae81fa2acc3153a09f70ccc80d5a3990b31ecc

SHA512
7bb3e5fb18eef608ad99f03354a20f01e20f23150ee62b90401e4a3e966e9a2b0ce4f4d8cc3e5f180507dc7e1567c32948639e8e43afa66945f614b883d0c59e

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
67KB

MD5
f9804a7ce2d889aa0d2250f955d2465b

SHA1
403b06e5767ecda9b905498ae9a772293623c7d5

SHA256
eb560f1dc923e4e259311c0cedf5d291e279aa39afa3c2838223c126196d3fd2

SHA512
6b1712c0ecb69d72879be1ac469ca2a13c3d21d2315fb524372c30ea4868f9985e88219e54a937ebc35941a53fe7d3603814cd80530aeb868ae96447711763a0

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
67KB

MD5
05de1ccedec1a4d0a2ef292eb7aa87c4

SHA1
8d30c6b4dc4368927df25bcbf36942e169e179b1

SHA256
4e661fe281d8ea3b4f5aced3ef59700600ca59a2bcddc21400764a22bd6d7250

SHA512
e3052f4c7c5ee527b24a1b0c498966244d3a469bdab6901e0c340fa5151d3dbf2fe9d542639a312aa7686ae6e36c125829522e188727778dbeb84c2ec81eefee

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
67KB

MD5
03b45c090a557b2f851e9db1d46d7e19

SHA1
be131625b79985bd5c03495175f6300e5c727051

SHA256
51ac52d077c85fb95581c9e88ed12b4c052ea29e98610a348cd62d0871d43826

SHA512
1d0fc89231a676249a3fedda3cb2f7c8200ac02acc6771ea2fa055f2dc13d815ca3fa5a43f4d4b4b0110100328b7d99dfa97863b1d6ff6a575b72abce3104434

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
67KB

MD5
37cd2b18bcb48f1de08ec84904054850

SHA1
fb2546e950e2451f7da4746e27669f64075ad50d

SHA256
a589b4b3f18fb7ada71283276d59170f7e5913db1e420272809281d89f80716c

SHA512
c303fe0d8c68969c05fe5030bc2544e481b48390192e772bdce968f25e7246a950ae3772736fef55e0cc24df97ef7c9053c1f9faf38cdafdc86da83b38c0b07e

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
67KB

MD5
0f4358e55aa70b24dcfad076df204784

SHA1
497530408298073f89c792525555b767c1e11677

SHA256
bcb7396e4520c8197e18b375f170aaf89570f02908d5856cc5f11977bfa580c1

SHA512
0960bc40de1a5e39d3deaf962141005c140629db1342cf043781643d52c97228a502816ffb15ddfeecd57489a744f44f6384b0f45c394e85567aea420f47d94c

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
67KB

MD5
5cb51e167f811db5ac2850d9923c19f0

SHA1
8cd63e96404f1e95a151fce3c58b8682577e6759

SHA256
52f7641f3b47fb92d3ae281100a965e4597d79f54beb25f40cefe525251193a6

SHA512
365f69bb204bda3ceb2b96ecbed887792d4ac1e3c6f6b53888321f077e2f885a8476f0bef8d490d8ce62e4a8e1efd28d3a0ad0a9554c5830b7ee46be560dcc2c

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
67KB

MD5
9119e4e8166eaceff2c4e9c937df2e32

SHA1
a3141793afcac39962683b9fd96766b73254302c

SHA256
727613b7a326d71e615181970535539fd2a85b80843850d8882c6f595e5eb005

SHA512
c8ccba6e28fde8199244558cd4412c0578c07729f58d777265c8e1eee23c812644a0ce5204c6a12dae3fe2fcf9fd6b39ebd698fb05708726f0b1e2c2fd939bff

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
67KB

MD5
aa6548fb646a389b96b80a0c337bef2e

SHA1
351790235447e3d2f577b8530050d7178de04505

SHA256
ef3c8e929ce757b6486135369c20a1ae3317607b26ab044a58af385a57732b44

SHA512
5f982df8edd3388fb82465f654f792d589c88d6c4eef28358953a9bf63a895b8803b0de04606c15b3c0290c52a39447387b3a76e8b20fad4d40e1a15bf012173

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
67KB

MD5
141f7bd9f94f18496e7b64ca3c383a10

SHA1
6063200c711e6bab14207a96bf2737dc7259bcdf

SHA256
e36414a803adb9f790e4a0d18c08b5ed935c85f84aef6aebefef76ca0a31359c

SHA512
3438011406d0f9dca4eb3856c0183aea9a6abcf515e5f4751b49172676d74091d70e4db67bacc102ef7c4b58568a95c5f3e05ec7eb8e256749d8d32368f80b4c

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
67KB

MD5
4c5d624b8187dbcbe8cfb6eee0912bd3

SHA1
aa27899875e319111bba4bac5af02cf6bb257ba3

SHA256
22bfb31a477001751090f1a68913e4e747e29cb9af0c2a15f50e389d2202ad05

SHA512
03e22a49ad40424b1fb1af4f17e42327b37680f00b3110272029de9ce8ad10a928d4c7ac2b0dc04a77295b69b61de87d780eaaaab817318956e3c9af02527abc

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
67KB

MD5
117c50978b32b213239fb1c02eb7557b

SHA1
ee2bab4e458a82c2df91e63c84de2b220c73fb5e

SHA256
fc6e3d0af7758a94e29818711bb5244ab88a9d866dc1e4b9235d30b5c81e115a

SHA512
adf7ad63f57f5310525fde3282b6ba12cb996a0d5bef1299216fb55fba413f7215d2f1a73137b98aac9041892ba487746ac9178ec1aa2b2d7fbb30e2628e191f

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
67KB

MD5
3ee01d28836df5c9596ae795917dd6af

SHA1
21a16cc300eb45e8e0762fed5bc80a2831e4f5a6

SHA256
bb5918a284c5113697b9313df03693835bbc1cda581523cb38dec05254ef7742

SHA512
7f4cf1a48032b0251aeaaa2a29f4ead985493ecf05131d170c1413a6df7d5783691d403cc6cf6d301e1d90e1e155db0da6ef8a1a4000c37eaf829ab4ba16a8ad

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
67KB

MD5
8ba76e50868cefd5d87f226ae1062381

SHA1
d7b3883e599b0dc59fa7dd28088c4ce9f87d671e

SHA256
d48d80f6d3c59c6f85311ab858c15699c52015cd3a548e446dfdefcdcedbe4f3

SHA512
0e538b349fd8e4f4933dea7ef268f95e2e18e05da0d043db438cef9c034974947edd975a1ad9574f3db3904aabfb6fb4aa449b98ef58c5993dd5ce9b476fac24

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
67KB

MD5
0154bc5bd1d92fbd7cf933ccd1b4141e

SHA1
6a410b107d4e9cc0bacdff9735f6b01469829c79

SHA256
11f64d6be5ee94f32741e47c7fe9d020342b24fd23f2784d289ff7986d02f6b9

SHA512
9e69fe8e3bd4a214cd2c95a1fc5e81f4f3fab826924f8b29adae628578d72e797135478725482eb8d348e280968f707fce17f850eb51a21aabd5a03b46c4680d

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
67KB

MD5
bed2dba2313ee2c5bd11ce97c8692530

SHA1
fe55a492afef8f0935a58a792eee79b5a11f8d11

SHA256
2fabd9c1f93dc66ccc793adeda0d160fbc13f5e7255d7a0191f9a71e1928c578

SHA512
26238758580306427a3faf2baf7ddd4c85121cf5aa6db8d6acb95b53bf3480183c447cd8a32c48a84a95d9ea69a8135b546ae24d72416a7497c52b7056afde2a

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
67KB

MD5
d5ba5c3ee0a8af5e890e00e223254376

SHA1
8ba2f2e243ba91a48254361c6efe77c16f12dd9c

SHA256
79b3ff2ead4c5b17ed78fca6dfcbd1271c1d8a1ba705614586398eb5ac8cb1b9

SHA512
c5f15ca5cbc91ed31d8f07b660f606c9f60616553006cf590c9a2981278b59babcbad0ac9a34953558030f0713b79d04275672688b2ba2b022d97ebdb6b3e5dd

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
67KB

MD5
0420dfadff8274022f37889cead750ca

SHA1
79bb1935767a43de8fa28bd667a3a71bd8374a04

SHA256
a1d8a15cad68407c5dbc968efdb8dcfb072378846a25ce2181d8c5c225183001

SHA512
f592b79451c798c6efed6ebd70621b9f6ce06112ad5f7023b0df2654408ca430941999573595bff31173d50b896aab58350f93eacb0d1ac7b60bcb27873593fd

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
67KB

MD5
3add533c0fb5dd14b8ea1efa062a5c8d

SHA1
788241f5969cf99eccb4dc6b3d03f26e570b7bf0

SHA256
0ef577717b87b8ec4a64b2c9a6d9565aaaaef49919553730cca4490557237ca1

SHA512
641b1f1ab6b1c027543ae2f86ee9124c40904ef454f9f3de1366b1bc6636e9a8440ed3c2a837aa797bee21250aa997a1e099a4bf3fb4c0d38415ffea47318b9c

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
67KB

MD5
b7ef2838b14f6ca95614fbee0965c53c

SHA1
6bef9a0781408f919aa71c1b74e7e701ce01275d

SHA256
691276094746350705169b1780d3b22f1c7c8d662e0268dfb78396c53d5c0828

SHA512
1771fdff46faf435655a29f59ab5ac2ae3e640c80c649f4e4f19d4044e65936e7f186c99a97f0ba69847e89e61052a32f8214cc08a9f61251cf0ce46ae594b20

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
67KB

MD5
73bf63fdc87d90e668dca38ed9bb3914

SHA1
175833da02210ea2bcd983c72bb18599b68755c0

SHA256
1dd0ac3f4711e4deadfeef9ef466530a96648bf10cfcfd4d8caa28476ddba30f

SHA512
dfaf42dffe81d5718ea3ae323c0522fe59559ad8670e2339afd70c5136beeed23bc6e3650f5db20f7ba8d3364a2d03ceec6050c4d52088174769addcca56dc65

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
67KB

MD5
ee69b011cb204916624bf3515c49b997

SHA1
88728b0a7667a9971647da97dbc8a57c46564235

SHA256
bf4f467cc5d2d4d74e5ca6bbab3b94803abcae37eedd497e05bc03ada786d19a

SHA512
eec0405c92aad606b54ae811c6a85a28ef4eef0fc9431dff71a3d1d531f5dcb32aa0351443deef5e2785fbe4bff54953c735668cc98f3d4415830ad508acc612

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
67KB

MD5
33f95f7a1c32c531c740c0d9111fa479

SHA1
d33ffce8e8711c0c8222e5d96fcd1ed7582ef674

SHA256
4fac3c6fa8c06941cda7dba4ca932ba59f8312e53b228fcc4b7d4b39600e3705

SHA512
45b8ced10a3321ff5e914b0d71a29cdc425dc70c662908332fb26ef743b3d00bcc85c5850e4fcd8574f914d6153b1113a109c250ee8803ea7a848b6c36e289d0

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
67KB

MD5
85fff2724592d30494a152f41b802f72

SHA1
917c4a1fa0719e44045fd1558abc5dc6479cee4a

SHA256
c428f5016a5373930a9f1e6d4072c318ac025d25c72d234c40be3bdc34ce357e

SHA512
503a4559e2722db9175f1857a314724a10ba0caf3ae0a462dcf60f20a91c9e281ee718a3deeb3b1e71f49f00bf33fbabfcc31958c3b7af1a358f73a2dafb34ab

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
64KB

MD5
2149cc87acb5276efda871b2c55e4146

SHA1
aeaa0d280db41f6403fada677ad9092540a699a3

SHA256
9ac3c99e1faece9ef7bf5ef0e6b69052c69cf0c73abe2290d9af86aab3259cf3

SHA512
be64f23bd757aa4b54c28267f6769b0e2ceffcb1b374f6aad7ea0abb178ca317d808f6867bc3364c5f3f543a7b16706501c144ce45b6ecfcdbef0a9412f43c84

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
67KB

MD5
78dbab96f79c99518a3e8a34b40538a6

SHA1
fed5582fea293509cff5d8ebedf745a13e93c36e

SHA256
cf94a42ec8e92fa225153f0a4b171f98645a7740dc6bd04ea7df54cb9a118b7c

SHA512
232b38018005b4371ad60fe65c161f029ed858846860c6d4ae85a47e7de0af2f6678e10481304144c7c06151c965a534554c54a6344a8cecfd9c877dcaa209ff

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
67KB

MD5
5f990f66d4f56da887da35630cd181e8

SHA1
bc1de81a620ca890b834c72dbd5e057e64ec73c1

SHA256
6b4b3f1f1e06a9350f8159f22a887f4683682aba1d2c55d791310aa1723d0cfd

SHA512
b259cf8c66076a4e74ecb98ee92b863b5fad2a0b6bdd80285612c06fe56707533cb479961863afb82fedd65654f1f01b2d3d9300e404bec4f05e2d6a50185700

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
67KB

MD5
d13da918d2018e32a6b2e7152fe97fcb

SHA1
e7f5bdca8482a3863ffe9ac0e932445e031c042c

SHA256
42fa0048ab999c4ff593405759b854db4e3cb40a193c0934797d488f718ac55d

SHA512
3b54f378f695271d8dfffa142cb8c412655bd25d5e8de7b20ad487b69a530a96a2a26b2cde5e0729dfd7fb83addbfd8633a34ac1b83a92602e7cc2cb2e184d5d

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
67KB

MD5
08d077bb5c4a11b0024c1d1802679485

SHA1
e6652fc9b6ff11b98996e247d472b301569aa8da

SHA256
9a61df934f6cdf806bf40ac6b7020017260aa55f47e685f354ac4fd402b39a50

SHA512
1d33943f3ea2604066b1cb10d34decac4700ac6115739fb06632cb555e3dcb1a3adb8a208e325b18eeec0481fe34c54063a69a3d637f95eb3d6660f13aa68cbb

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
67KB

MD5
9ef21ca713f89e0f6b8f715f5c34a8a1

SHA1
f5b7a06ef10c5b3aba7a25674ddb8f30b07f9121

SHA256
81ff1a86046d14065e194d80d3caec56a36b62e8eb528725afd250d1801c08f9

SHA512
5fdf4d17b3de5fb6ae37e22f1c80da438cea7c0c106c31dd554473b32b597c4bb51b8decbfa91b1584675fd336db389c05f013d285244618e91a19c7dd7b7cd5

Download Submit
C:\Windows\SysWOW64\Qciaajej.dll

Filesize
7KB

MD5
0156595d896f16e86dac1cf2ab3062d6

SHA1
15c4893b8fab42597f54011ed62ffd3e73bc2076

SHA256
9a8031d7b6f9e47f600d0b1f77dbbc96d1a854c1fb4c8a4c91bf89ff3eb43666

SHA512
65cfcf16048e3e2f42a14fe3de2ee02d94f6da6bd14db64adc583fa9f58d0b5f85ca34a4699ac24b2dc3dd63c57b8bc02270f1940dd67e7722ae6bfcff006d55

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
67KB

MD5
aba689b80297fc12bdd24c363b6b6810

SHA1
23e20fe402208447ef2da870820871b9747e847b

SHA256
bac2d854f79f30c82c58fba2d22cb5932eda7e62bcea631071c5ccefc94d16d4

SHA512
d14c422305005ec9654bddb5dcfec9512b1829e835ce814e3cfe4cbd7f893b2e0b0e88b88be18ede6b76e3b4fdac5d6aad8284e68163f0677cc44b1136131e46

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
67KB

MD5
c5a90e3f27e782aa5ae80b0a7822335d

SHA1
eea93f2ef9d47ccd0be1ea5472c9ffd298783135

SHA256
4da639225740387b8d3dd33488c02c5fd41a9c07a7c086fdf82ac9a833d27dcb

SHA512
8e6b38cec75592949f06545f89bb36493e8f1ee71a9f61c054c99e60c2692d5769aa975d52f5edcbbf69cf42788d5450411de0476012649c6daab2c6e5e7c005

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
67KB

MD5
d261a041c0038d36c45b88b171256bfe

SHA1
63eb9cde96367a9ecb2b4aa916588944cf9b297f

SHA256
1ed01b5c88b1c07d7ecd50a84e42be1819b01cbc147afae8398a452ad96c0e0f

SHA512
b5538dc862b6730f855ec436ab689a278dcc5a8d3493cdbb3cff29624bce0b3d17bb9a5a2764c5bd26dc5316a6082d8d6489113e70c4faf606a97301b3cdb1a2

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
67KB

MD5
971200faf99cbc7c98e1b2da03f03730

SHA1
8ed69a323f51346170fefa1b66290f6f4d58ef86

SHA256
624f7f148d00295839c3b73fe2bfcef7f8f80458dda319003db12495574d81ba

SHA512
4e2b4c2fc892356247815bf117b0cda3a94d1588083ed0b20b850c2285a97a4d9b50b9c0f9ffccc430e7d57abc92f79a6c95b9e5989fbe5c397de30472af11b6

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
67KB

MD5
7c2a82c7e137d31d057358c527d1c762

SHA1
9f4e06296fa265e26a56ca26b1bdcd85f8284f11

SHA256
2656eaad024e6a6887d2ec131045fe0a54a391f11032dec346571e38966cd7d8

SHA512
976207f591b3250ff28a162460490cf573b32d1f5ad473b8a816de68a62500e0cf61d2bee84f4ff62f0042993bf685d9e39ebe142b643583e1cd051899882d24

Download Submit
memory/220-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/628-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/628-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/740-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1120-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1156-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1156-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1192-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1220-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1220-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1280-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1280-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1304-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1500-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1500-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1512-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1644-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1644-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1836-441-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1836-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1880-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1880-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1928-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2040-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2068-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2068-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2192-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2192-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2312-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2312-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2336-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2336-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2344-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2344-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2352-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2352-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2392-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2392-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3056-440-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3056-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3092-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3092-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3176-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3176-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3232-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3232-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3336-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3360-444-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3360-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3364-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3528-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3528-421-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3560-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3656-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3688-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3688-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3708-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4092-439-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4092-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4100-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4100-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4116-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4168-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4168-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4232-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4232-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4384-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4456-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4456-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4516-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4536-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4536-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4600-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4760-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4760-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4772-433-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4772-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4864-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4864-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4980-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4980-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads